Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
4
Replies

ASA 9.6 Global Inspect Policy

Go to solution
karamalomari
Level 1
Level 1

‎01-03-2023 10:53 PM

class-map global-class
match access-list global_mpc
class-map outside_policy1
match access-list outside_policy
class-map class_sip_tcp
match port tcp eq sip
class-map outside_policy
match access-list outside_policy
class-map testing
!
policy-map type inspect h323 RRQ-RCF-INSPECTION
parameters
policy-map outside_policy
class outside_policy
inspect h323 h225
class outside_policy1
inspect h323 ras
policy-map type inspect dcerpc WSUS_Test
parameters
timeout pinhole 0:30:00
match uuid ms-rpc-epm
log
match uuid ms-rpc-isystemactivator
log
match uuid ms-rpc-oxidresolver
log
policy-map global-policy
class inspection_default
inspect ftp
inspect skinny
inspect sqlnet
inspect sip
inspect rtsp
inspect icmp
inspect icmp error
inspect tftp
inspect h323 h225
inspect h323 ras
class class_sip_tcp
inspect sip
class global-class
inspect dcerpc WSUS_Test
class class-default
user-statictics accounting
!
service-policy global_policy global
!

This policy is inspecting (h323 h225 & h323 ras) which is needed by our VC service but is impacting VoIP services.
Is there a way to keep (h323 h225 & h323 ras) as a global policy and create another inspect policy and apply it ONLY to specific policies?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-04-2023 01:23 AM

In general technically inspecting voice traffic have other effect, to fix the issue, you should not inspect that voip traffic, until you have any reason to inspect.

if you looking to custom, you need to create one and attached to interface and test it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/inspect-service-policy.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-04-2023 03:18 PM - edited ‎01-05-2023 01:19 AM

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Inspection of Voice and Video Protocols [Cisco ASA 5500-X Series Firewalls] - Cisco

I dont get what class map you use but refere to above link how you can config H323 inspection.

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-05-2023 12:41 AM

Yes, so long as you are able to create a match criteria that will just match on the VOIP traffic or whatever other traffic you want a different inspection policy for.  Just create a new class-map for your matching and then place that in the global policy map with the inspection settings you want.  Then when traffic is being matched, this "user defined" class will be checked for a match first before going to the inspection_default class.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-04-2023 01:23 AM

In general technically inspecting voice traffic have other effect, to fix the issue, you should not inspect that voip traffic, until you have any reason to inspect.

if you looking to custom, you need to create one and attached to interface and test it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/inspect-service-policy.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-04-2023 03:18 PM - edited ‎01-05-2023 01:19 AM

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Inspection of Voice and Video Protocols [Cisco ASA 5500-X Series Firewalls] - Cisco

I dont get what class map you use but refere to above link how you can config H323 inspection.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-05-2023 12:41 AM

Yes, so long as you are able to create a match criteria that will just match on the VOIP traffic or whatever other traffic you want a different inspection policy for.  Just create a new class-map for your matching and then place that in the global policy map with the inspection settings you want.  Then when traffic is being matched, this "user defined" class will be checked for a match first before going to the inspection_default class.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
karamalomari
Level 1
Level 1
In response to Marius Gunnerud

‎02-02-2023 09:26 PM

So basically in the default inspect policy I need to keep both inspect h323 h225 & inspect h323 ras, but I will create a custom policy to remove inspect h323 h225 & inspect h323 ras and apply it on the interface.

The question now both Video Devices & IP Phone traffic are coming through the same interface which is the outside, so if I keep the default inspect policy and create a custom one for IP Phones and apply it on the outside interface? Video call will go with the default inspect policy and IP Phone will match the custom inspect policy? Is this is right?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card